* [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size
@ 2022-05-20 16:57 Kees Cook
2022-05-20 17:32 ` Sean Christopherson
2022-05-20 18:48 ` Sean Christopherson
0 siblings, 2 replies; 4+ messages in thread
From: Kees Cook @ 2022-05-20 16:57 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Kees Cook, Sean Christopherson, Vitaly Kuznetsov, Wanpeng Li,
Jim Mattson, x86, H. Peter Anvin, kvm, Joerg Roedel,
linux-kernel, linux-hardening
GCC 12 sees that it might be possible for "nr" to be outside the _regs
array. Add explicit bounds checking.
In function 'reg_read',
inlined from 'reg_rmw' at ../arch/x86/kvm/emulate.c:266:2:
../arch/x86/kvm/emulate.c:254:27: warning: array subscript 32 is above array bounds of 'long unsigned int[17]' [-Warray-bounds]
254 | return ctxt->_regs[nr];
| ~~~~~~~~~~~^~~~
In file included from ../arch/x86/kvm/emulate.c:23:
../arch/x86/kvm/kvm_emulate.h: In function 'reg_rmw':
../arch/x86/kvm/kvm_emulate.h:366:23: note: while referencing '_regs'
366 | unsigned long _regs[NR_VCPU_REGS];
| ^~~~~
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Wanpeng Li <wanpengli@tencent.com>
Cc: Jim Mattson <jmattson@google.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: kvm@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/x86/kvm/emulate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 89b11e7dca8a..fbcbc012a3ae 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -247,6 +247,8 @@ enum x86_transfer_type {
static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
{
+ if (WARN_ON(nr >= ARRAY_SIZE(ctxt->_regs)))
+ return 0;
if (!(ctxt->regs_valid & (1 << nr))) {
ctxt->regs_valid |= 1 << nr;
ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
@@ -256,6 +258,8 @@ static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
{
+ if (WARN_ON(nr >= ARRAY_SIZE(ctxt->_regs)))
+ return 0;
ctxt->regs_valid |= 1 << nr;
ctxt->regs_dirty |= 1 << nr;
return &ctxt->_regs[nr];
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size
2022-05-20 16:57 [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size Kees Cook
@ 2022-05-20 17:32 ` Sean Christopherson
2022-05-20 18:19 ` Kees Cook
2022-05-20 18:48 ` Sean Christopherson
1 sibling, 1 reply; 4+ messages in thread
From: Sean Christopherson @ 2022-05-20 17:32 UTC (permalink / raw)
To: Kees Cook
Cc: Paolo Bonzini, Vitaly Kuznetsov, Wanpeng Li, Jim Mattson, x86,
H. Peter Anvin, kvm, Joerg Roedel, linux-kernel, linux-hardening
On Fri, May 20, 2022, Kees Cook wrote:
> GCC 12 sees that it might be possible for "nr" to be outside the _regs
> array. Add explicit bounds checking.
I think GCC 12 is wrong.
There are four uses of reg_rmw() that don't use hardcoded registers:
$ git grep reg_rmw | grep -v VCPU_REGS_
emulate.c:static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
1 emulate.c: ulong *preg = reg_rmw(ctxt, reg);
2 emulate.c: p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
3 emulate.c: p = reg_rmw(ctxt, modrm_reg);
4 emulate.c: assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
#1 has three users, but two of those use hardcoded registers.
$ git grep register_address_increment | grep -v VCPU_REGS_
emulate.c:register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
emulate.c: register_address_increment(ctxt, reg, df * op->bytes);
and that last one is string_addr_inc(), which is only called with RDI or RSI.
#2 can't overflow as the register can only be 0-3 (yay AH/BH/CH/DH operands).
#3 is the !highbyte path of decode_register(), and is a bit messy, but modrm_reg
is always sanitized.
$ git grep -E "decode_register\("
emulate.c:static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
a emulate.c: op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
b emulate.c: op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
c emulate.c: ctxt->memop.addr.reg = decode_register(ctxt,
ctxt->modrm_rm, true);
For (b) and (c), modrm_reg == ctxt->modrm_rm, which is computed in one place and
is bounded to 0-15:
base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
For (a), "reg" is either modrm_reg or a register that is encoded in the opcode,
both of which are again bounded to 0-15:
unsigned reg = ctxt->modrm_reg;
if (!(ctxt->d & ModRM))
reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
and
ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
#4 is em_popa() and is just funky hardcoding of popping RAX-RDI, minus RSP.
I did the same exercise for reg_reg() and write_reg(), and the handful of
non-hardcoded use are all bounded in similar ways.
> In function 'reg_read',
> inlined from 'reg_rmw' at ../arch/x86/kvm/emulate.c:266:2:
Is there more of the "stack" available? I don't mind the WARN too much, but if
there is a bug lurking I would much rather fix the bug.
> ../arch/x86/kvm/emulate.c:254:27: warning: array subscript 32 is above array bounds of 'long unsigned int[17]' [-Warray-bounds]
> 254 | return ctxt->_regs[nr];
> | ~~~~~~~~~~~^~~~
> In file included from ../arch/x86/kvm/emulate.c:23:
> ../arch/x86/kvm/kvm_emulate.h: In function 'reg_rmw':
> ../arch/x86/kvm/kvm_emulate.h:366:23: note: while referencing '_regs'
> 366 | unsigned long _regs[NR_VCPU_REGS];
> | ^~~~~
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size
2022-05-20 17:32 ` Sean Christopherson
@ 2022-05-20 18:19 ` Kees Cook
0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-05-20 18:19 UTC (permalink / raw)
To: Sean Christopherson
Cc: Paolo Bonzini, Vitaly Kuznetsov, Wanpeng Li, Jim Mattson, x86,
H. Peter Anvin, kvm, Joerg Roedel, linux-kernel, linux-hardening
On Fri, May 20, 2022 at 05:32:04PM +0000, Sean Christopherson wrote:
> On Fri, May 20, 2022, Kees Cook wrote:
> > GCC 12 sees that it might be possible for "nr" to be outside the _regs
> > array. Add explicit bounds checking.
>
> I think GCC 12 is wrong.
I think it's more like GCC is extremely conservative about these things,
and assumes the worst when, for whatever reason, it can't track
something.
> There are four uses of reg_rmw() that don't use hardcoded registers:
>
> $ git grep reg_rmw | grep -v VCPU_REGS_
> emulate.c:static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
> 1 emulate.c: ulong *preg = reg_rmw(ctxt, reg);
> 2 emulate.c: p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
> 3 emulate.c: p = reg_rmw(ctxt, modrm_reg);
> 4 emulate.c: assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
>
> #1 has three users, but two of those use hardcoded registers.
>
> $ git grep register_address_increment | grep -v VCPU_REGS_
> emulate.c:register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
> emulate.c: register_address_increment(ctxt, reg, df * op->bytes);
>
> and that last one is string_addr_inc(), which is only called with RDI or RSI.
>
> #2 can't overflow as the register can only be 0-3 (yay AH/BH/CH/DH operands).
>
> #3 is the !highbyte path of decode_register(), and is a bit messy, but modrm_reg
> is always sanitized.
>
> $ git grep -E "decode_register\("
> emulate.c:static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
> a emulate.c: op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
> b emulate.c: op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
> c emulate.c: ctxt->memop.addr.reg = decode_register(ctxt,
> ctxt->modrm_rm, true);
>
> For (b) and (c), modrm_reg == ctxt->modrm_rm, which is computed in one place and
> is bounded to 0-15:
>
> base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
> ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
>
> For (a), "reg" is either modrm_reg or a register that is encoded in the opcode,
> both of which are again bounded to 0-15:
>
> unsigned reg = ctxt->modrm_reg;
>
> if (!(ctxt->d & ModRM))
> reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
>
> and
>
> ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
> ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
>
> #4 is em_popa() and is just funky hardcoding of popping RAX-RDI, minus RSP.
>
> I did the same exercise for reg_reg() and write_reg(), and the handful of
> non-hardcoded use are all bounded in similar ways.
Thanks for digging into this. I tried to do the same and started to lose
track of things.
>
> > In function 'reg_read',
> > inlined from 'reg_rmw' at ../arch/x86/kvm/emulate.c:266:2:
>
> Is there more of the "stack" available? I don't mind the WARN too much, but if
> there is a bug lurking I would much rather fix the bug.
Agreed, but I haven't found a way to get more context here. I think I
found a separate place where GCC really does look to have a bug, as it
complains about array usage that is explicitly bounded. :P
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size
2022-05-20 16:57 [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size Kees Cook
2022-05-20 17:32 ` Sean Christopherson
@ 2022-05-20 18:48 ` Sean Christopherson
1 sibling, 0 replies; 4+ messages in thread
From: Sean Christopherson @ 2022-05-20 18:48 UTC (permalink / raw)
To: Kees Cook
Cc: Paolo Bonzini, Vitaly Kuznetsov, Wanpeng Li, Jim Mattson, x86,
H. Peter Anvin, kvm, Joerg Roedel, linux-kernel, linux-hardening
On Fri, May 20, 2022, Kees Cook wrote:
> GCC 12 sees that it might be possible for "nr" to be outside the _regs
> array. Add explicit bounds checking.
>
> In function 'reg_read',
> inlined from 'reg_rmw' at ../arch/x86/kvm/emulate.c:266:2:
> ../arch/x86/kvm/emulate.c:254:27: warning: array subscript 32 is above array bounds of 'long unsigned int[17]' [-Warray-bounds]
> 254 | return ctxt->_regs[nr];
> | ~~~~~~~~~~~^~~~
> In file included from ../arch/x86/kvm/emulate.c:23:
> ../arch/x86/kvm/kvm_emulate.h: In function 'reg_rmw':
> ../arch/x86/kvm/kvm_emulate.h:366:23: note: while referencing '_regs'
> 366 | unsigned long _regs[NR_VCPU_REGS];
> | ^~~~~
>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Sean Christopherson <seanjc@google.com>
> Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
> Cc: Wanpeng Li <wanpengli@tencent.com>
> Cc: Jim Mattson <jmattson@google.com>
> Cc: x86@kernel.org
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: kvm@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/x86/kvm/emulate.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 89b11e7dca8a..fbcbc012a3ae 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -247,6 +247,8 @@ enum x86_transfer_type {
>
> static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
> {
> + if (WARN_ON(nr >= ARRAY_SIZE(ctxt->_regs)))
> + return 0;
> if (!(ctxt->regs_valid & (1 << nr))) {
> ctxt->regs_valid |= 1 << nr;
> ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
> @@ -256,6 +258,8 @@ static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
>
> static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
> {
> + if (WARN_ON(nr >= ARRAY_SIZE(ctxt->_regs)))
> + return 0;
This is wrong, reg_write() confusingly returns a pointer the register to be written,
it doesn't actually do the write. So if we want to guard against array overflow,
it would be better to cap @nr and continue on, i.e. assume some higher bit was
spuriously set.
The other oddity here is that VCPU_REGS_RIP should never be read, the RIP relative
code reads _eip directly. I.e. _regs[] should really be VCPU_REGS_R15+1. And
adding a #define for that would clean up this bit of code in writeback_registers()
that hardcodes 16 (rax - r15) GPRs:
for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
Lastly, casting regs_dirty to an unsigned long pointer is all kinds of gross, e.g.
if it were moved to the end of struct x86_emulate_ctxt then the above could trigger
an out-of-bounds read.
I'll whip up a small series to clean this code up and add WARNs similar to above.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-05-20 18:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-20 16:57 [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size Kees Cook
2022-05-20 17:32 ` Sean Christopherson
2022-05-20 18:19 ` Kees Cook
2022-05-20 18:48 ` Sean Christopherson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.